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Robust Threshold DSS Signatures 

Rosario Gennaro*, Stanistew Jarecki*, Hugo Krawczyk** and Tal Rabin* 



Abstract We present threshold DSS (Digital Signature Standard) signatures 
where the power to sign is shared by n players such that for a given parameter 
t < n/2 any subset of 2t + 1 signers can collaborate to produce a valid DSS 
signature on any given message, but no subset of t corrupted players can forge a 
signature (in particular, cannot learn the signature key). In addition, we present 
a robust threshold DSS scheme that can also tolerate n/3 players who refuse 
to participate in the signature protocol. We can also endure n/4 maliciously 
faulty players that generate incorrect partial signatures at the time of signature 
computation. This results in a highly secure and resilient DSS signature system 
applicable to the protection of the secret signature key, the prevention of forgery, 
and increased system availability. 

Our results significantly improve over a recent result by Langford from CRYP- 
TCT95 that presents threshold DSS signatures which can stand much smaller 
subsets of corrupted players, namely, t w -^/n, and do not enjoy the robustness 
property. As in the case of Langford's result, our schemes require no trusted 
party. Our techniques apply to other threshold ElGamal-like signatures as well. 
We prove the security of our schemes solely based on the hardness of forging a 
regular DSS signature. 



1 Introduction 

Using a threshold signature scheme, digital signatures can be produced by a group of 
players rather than by one party. In contrast to the regular signature schemes where the 
signer is a single entity which holds the secret key, in threshold signature schemes the 
secret key is shared by a group of n players. In order to produce a valid signature on a 
given message m, individual players produce their partial signatures on that message, 
and then combine them into a full signature on m. A distributed signature scheme 
achieves threshold t < n, if no coalition of t (or less) players can produce a new valid 
signature, even after the system has produced many signatures on different messages. A 
signature resulting from a threshold signature scheme is the same as if it was produced 
by a single signer possessing the full secret signature key. In particular, the validity 
of this signature can be verified by anyone who has the corresponding unique public 
verification key. In other words, the fact that the signature was produced in a distributed 
fashion is transparent to the recipient of the signature. 
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detection mechanism for wrong partial signatures, one may need to try an (exponential 
in t) number ( 2t " t ) of subsets of signers before finding a subset that generates a valid 
DSS signature. In our case, we achieve a robust threshold solution to DSS signatures 
tolerating t faults: that is, t or less corrupted players will not be able to forge signatures, 
and neither will they be able to prevent the system from computing correct signatures 
by either refusing to cooperate (t < n/3 in this case) or by behaving in any arbitrary 
malicious way (in this case t < n/4.) 2 

Moreover, our schemes do not require trusting any particular party at any time, 
including the initial secret key generation. This is an important property achieved by 
some other ElGamal based threshold signature schemes (including the DSS solution in 
[Lan95]), but not known for threshold RSA signatures. In the complete version of the 
paper we will present some additional results, including the application of our techniques 
to solving threshold signatures for other discrete-log based signatures [E1G85, NR94, 
HPM94]. 

Remarkably, our solutions for robust threshold DSS signatures can be proactivized 
using the recent techniques of [HJJ+95] (based on proactive secret sharing of the 
signature key [HJKY95]). In this way, one can keep the DSS signature key fixed for a 
long time while its shares can be refreshed periodically. An adversary that tries to break 
the threshold signature scheme needs then to corrupt t servers in one single period of 
time (which may be as short as one day, one week, etc.), as opposed to having the whole 
lifetime of the key (e.g., 2 years) to do so. 

Technical Overview. The threshold DSS signatures schemes need to deal with two 
technical difficulties. Combining shares of two secrets, a and 6, into shares of the 
product of these secrets, ab\ and producing shares for a secret a given the shares 
of its reciprocal a" 1 (computations are over a field Z q ). Langford [Lan95] solves 
both problems by presenting a multiplicative version of secret sharing that results in 
polynomials of degree 0(t 2 )\ this requires a high number of active signers for signature 
computation and allows for only a small threshold. In our case, we solve the first 
problem (sharing of a product of secrets) using a single product of polynomials (with 
combined degree 2i resulting in the need for only 2t + 1 active signers). For the second 
problem, the sharing of a reciprocal, we introduce a simple and novel solution, which 
does not incur any additional increase in the number of signers. The solution to this 
problem is of independent interest and has applications to other threshold ElGamal-like 
signatures. In addition to these techniques we use many tools from other works, such 
as verifiable secret sharing (both computational and information-theoretic versions), 
shared generation/distribution of secrets, re-randomization of secret shares, and more. 
For achieving the robustness of our schemes we apply error correcting techniques due 
to Berlekamp and Welch [BW] that achieve a very high rate of error correction, which 
in our scenario translates into supporting higher thresholds. We prove the security of 
our schemes assuming the infeasibility of forging a regular DSS signature. That is, our 
schemes are secure if and only if DSS is unforgeable. 



The robustness property has been known for some other shared signature schemes, e.g., Ham's 
solution [Har94] for threshold AMV-signatures enjoys this property. As for threshold RSA, 
robust solutions have been only recently found (see [FGY96, GJKR96]). 



- A Halting Adversary is an eavesdropping adversary that may also cause corrupted 
players to stop sending messages during the execution of the protocol (e.g., by 
crashing or disconnecting a machine). 

- A Malicious Adversary is an eavesdropping adversary that may also cause corrupted 
players to divert from the specified protocol in any (possibly malicious) way. 

We assume that the computational power of the adversary is adequately modeled by 
a probabilistic polynomial time Turing machine. (In fact, it suffices for our results to 
assume that the adversary cannot forge regular DSS signatures, which, in turn, implies 
the infeasibility of computing discrete logarithms.) 

Given a protocol V the view of the adversary, denoted by VI£Wa(V), is defined 
as the probability distribution (induced by the random coins of the players) on the 
knowledge of the adversary, namely, the computational history of all the corrupted 
players, and the public communications and output of the protocol. 

Signature Scheme. A signature scheme S is a triple of efficient randomized algorithms 
(Key-Gen, Sig, Ver). Key-Gen is the key generator algorithm. It outputs a pair (y, z), 
such that y is the public key and x is the secret key of the signature scheme. Sig is the 
signing algorithm: on input a message m and the secret key x, it outputs sig, a signature 
of the message m. Ver is the verification algorithm. On input a message rn, the public 
key y, and a string sig, it checks whether sig is a proper signature of m. 

Threshold secret sharing. Given a secret value s we say that the values («!,..., s n ) 
constitute a (t, n)-threshold secret sharing of s if t (or less) of these values reveal no 
information about s, and if there is an efficient algorithm that outputs s having t + 1 of 
the values Si as inputs. 

Threshold signature schemes. Let S=(Key-Gen, Sig, Ver) be a signature scheme. A 
(t, n)-threshold signature scheme TS for S is a pair of protocols (Thresh-Key-Gen, 
Thresh-Sig) for the set of players {Pi, . . . , P n }. 

Thresh-Key-Gen is a distributed key generation protocol used by the players to 
jointly generate a pair (y, x ) of public/private keys. At the end of the protocol the private 
output of player Pi is a value Xi such that the values (x i , . . . , x n ) form a (t , n)-threshold 
secret sharing of x. The public output of the protocol contains the public key y. The 
pairs (y, x) of public/secret key pairs are produced by Thresh-Key-Gen with the same 
probability distribution as if they were generated by Key-Gen protocol of the regular 
signature scheme S. 

Thresh-Sig is the distributed signature protocol. The private input of Pi is the value 
x^ The public inputs consist of a message m and the public key y. The output of the 
protocol is the value sig = Sig(m,x). (The verification algorithm is, therefore, the 
same as in the regular signature scheme <S.) 

Secure Threshold Signature Schemes. Our definition of security includes both un- 
forgeability and robustness. 

Definition 1. We say that a (t } n)-threshold signature scheme TS =(Thresh-Key- 
Gen,Thresh-Sig) is unforgeable, if no malicious adversary who corrupts at most t 
players can produce the signature on any new (i.e., previously unsigned) message m, 



4 Existing Tools 



Here we briefly recall a few known techniques that we use in our solutions. 
Shamir's Secret Sharing. [Sha79] 

Given a secret a, choose at random a polynomial f(x) of degree t, such that /(0) = a. 

Give to player Pi a share Ci = f(i) mod q where q is a prime (We use the interpolation 
values* = 1 9 2 f . . n for simplicity; any values in Z q can be used as well.) We will write 

(oi, . . . , cr n ) a mod q to denote such a sharing. This protocol generates no public 
output. It can tolerate t eavesdropping faults if n > t + 1 and, additionally, t halting 
faults if n > 2t -f 1. By using error-correcting techniques (as first suggested in [MS81]) 
the protocol can also tolerate / malicious faults (among the players, excluding the 
dealer) if n > t + 2/ 4- 1. In the following we will refer to this protocol by Shamir-SS. 

Feldman's Verifiable Secret Sharing. [Fel87]. ./ 

This protocol can tolerate up to malicious faults including the dealer. Like Shamir's 

scheme, it generates for each player Pi a share <tu such that (a u . . . , <r„) a mod a. 
If /(x) = ajx j then the dealer broadcasts the values otj = g a * mod p. This will 
allow the players to check that the values o~i really define a secret by checking that 
g Qi = Il a f* ^ ^ so a U° w detection of incorrect shares a\ at reconstruction 
time. Notice that the value of the secret is only computationally secure, e.g., the value 
g a ° = g ff mod p is leaked. In the following we will refer to this protocol by Feldman- 
VSS. 

Unconditionally Secure Verifiable Secret Sharing. [FM88, Ped91b]. 
In contrast to Feldman's VSS protocol, this protocol provides information theoretic 
secrecy for the shared secret. This is required by some of our techniques in order to 
achieve provable security. There are two possible implementation of this primitive. 
One is by Feldman and Micali [FM88] and is based on a bivariate polynomial sharing. 
Each player receives a share as in Shamir's case plus some extra information that will 
allow him to check (by exchanging messages with the other players) that the shares 
do define a polynomial. This implementation tolerates malicious faults. Another 
possible implementation is the one by Pedersen [Ped91b]. In this implementation the 

private information of player Pi is the value Ci such that (au • - . , crn) a mod p. 
The dealer then commits to each share using an unconditionally secure commitment 
scheme based on the hardness of discrete log (that is the secrecy of the committed 
value is unconditional, but it is possible to open the commitment in a different way if 
one is able to solve discrete log.) The commitment has homomorphic properties that 
allow the players to check that the shares define a secret as in Feldman's VSS. If one 
assumes that players are not able to open the commitment in different ways, then at 
reconstruction time bad shares are detected. The scheme tolerates IL j i malicious faults. 
Both implementations can be used in our main protocol. In the following we will refer 
to this protocol as Uncond-Secure-VSS. 

Joint Random Secret Sharing. [Ped91a, Ped91b]. 

In a Joint Random Secret Sharing scheme the players collectively choose shares corre- 
sponding to a (£, n)-secret sharing of a random value. At the end of such a protocol each 



(it is essential for the security of our application that information on fc is not revealed 
during this process). 

Problem 1: Computing reciprocals 

Given a secret fc mod q which is shared among players Pi, ...P n . generate a sharing of 
the value jb" 1 mod q t without revealing information on fc and fc" 1 . 

Each player Pi holds a share fc» corresponding to a (t, n) secret sharing of fc, namely, 

(fci, . . . , Jb n ) £-1 Jb. The computation of shares for fc _1 is accomplished as follows. 

1 . The players jointly generate a (t , n) sharing of a random element a £ Z q using any 
Joint-RSS protocol (Section 4). We denote the resulting shares by a lt a 2) . . . , a n , 

i.e., (ai,...,an) < — ► a. 

2. The players execute a (2*, n) Joint-Zero-SS protocol (Section 4) after which each 
player Pi holds a share b { of the "secret" 0. (The implicit interpolation polynomial 
is of degree 2t.) * 

3. The players reconstruct the value /x = ka by broadcasting the values Aw + and 
interpolating the corresponding 2t-degree polynomial. 

4. Each player computes his share u» of k~ l by setting = ii _1 a; mod q . 

We refer to the above protocol as the Reciprocal Protocol. The following lemmas can 
be proven concerning this protocol. 

Lemma 4. /* holds that (tii, . . . , Un) fc" 1 . 

Intuitively, the value p revealed in the protocol gives no information on fc since /x 
is the product of fc with a random element a. This property is stated in the following 
lemma. 

Lemma 5. (Informal) There exists a simulator SIM such that for any adversary A 
with access to t shares fc tl , . ..,k it ofk t Vl£WA(Reciprocal-Protocol(k u fc n )) is 
computationally indistinguishable from S2M(ki x , fc,* t ). 

The proofs of the above lemmas are omitted here as they are implicit in the proofs of 
our protocols. 

Problem 2: Multiplication of two secrets. 

Given two secrets u and t>, which are both shared among the players, compute the 
product uv, while maintaining both of the original values secret (aside from the obvious 
information which is revealed from the result). 

Given that u and v are each shared by a polynomial of degree t t each player can 
locally multiply his shares of u and v, and the result will be a share of uv on a polynomial 
of degree 2t. Consequently, the value uv can still be reconstructed from a set of 2t + 1 
correct shares. An additional re-randomization procedure (using the Joint-zero-SS 
protocol of Section 4) is required to protect the secrecy of the multiplied secret; this 
randomization is essential because a polynomial of degree. 2t which is the product of 
two polynomials of degree t is not a random polynomial, and would expose information 
about u and v. 



where the a/s lie on some t-degree polynomial G(-), then (3 = g G (°h This can 

be computed by fi = U^ VI w^ vi = Uw(9 ali) ) Xi ' v ' . where V is a (t + 1)- 
subset of the correct iy»'s and Ai ( y#'s are the corresponding Lagrange interpolation 
coefficients. 

Lemma 6. DSS-Thresh-Sig-J is a simulatable (in particular unforgeable) threshold 
DSS signature generation protocol in the presence of up to t eavesdropping faults, where 
the total number of players is n > 2t + 1. 

Lemma 7. DSS-Thresh-Sig-7 is a (i, 0, n = 3t + l)-robust threshold DSS signature 
generation protocol, namely it tolerates up to t eavesdropping and halting faults if the 
total number of players is n > it -f 1. 

The proofs of these lemmas follow the same lines of the proof of Theorem 9 in Section 
8. From the above lemmas we derive the following: 

Theorem 8. DSS-Thresh-Sig-7 is a secure, i.e. robust and unforgeable, threshold DSS 
signature in the presence oft eavesdropping (halting) faults if the total number of 
players is n > 2t + 1 (n > Zt + i; 

8 Robust Threshold DSS Protocols 

In this section we present a robust version of protocol DSS-Thresh-Sig-1 which remains 
secure even in the presence of a fully malicious adversary. The protocol, DSS-Thresh- 
Sig-2, relies on no assumptions beyond the unforgeability of regular DSS signatures, 
and can tolerate ^^malicious faults. 

Outline. The protocol is very similar to DSS-Thresh-Sig-1 . The only difference is that 
here we need verifiable sharing of secrets since we assume a Malicious Adversary. The 
random value k is jointly generated by the players using an unconditionally secure VSS 
(Section 4). This guarantees that absolutely no information is leaked on the values k 
or Jfc" 1 . Then the players compute r as in DSS-Thresh-Sig-1, with the only difference 
that now the random value o is jointly generated using Feldman's VSS protocol. As 
before s is computed from the appropriate shares. Whenever we reconstruct a secret, in 
order to detect bad shares contributed by malicious players we perform error-correcting 
using the Berlekamp and Welch decoder [BW]. As before randomization of polynomials 
(through the joint zero secret sharing protocols) is added in various places in order to 
hide possible partial information. The full protocol is exhibited in Figure 2 

Notation. In the protocol, we use the following notation: 

v = EC-lnterpolate(vi ( . . . , v n ) 

If {vi, . . . , v n } (n — At + 1) is a set of values, such that at least 3t of the values lie on 

some 2t-degree polynomial F(-), then v = F(0). The polynomial can be computed by 
using the Berlekamp- Welch decoder [BW], 

An important technical contribution of our paper is the simulation and the proof of the 
security of this protocol. We prove the following theorem: 




3. (a) In the protocol A receives t shares ai, ...,a t of a proper sharing including g a 

and g a% for 1 < i < n. As before a* for 1 < i < t is uniformly distributed 
in [0..g - 1]. The values d< for 1 < i < t were choosen by SIM, under the 
exact same distribution (Step 4), hence the two distributions are the same. The 
value g* was generated by choosing a random value ft uniformly distributed 
in [l..q - 1] and computing which is equal to g k ~ x * t The value Jfe~ l /i is 
uniformly distributed in [l..g - 1] hence the distribution of g a and g* are 
computationally indistiguishable.The rest of the values g* % fort + 1 < i < n, 
are obtained through a deterministic computation from g* and g* % fori < i < U 
hence they too are compuationally indistinguishable from g a% for 1 < t < t. 
(b) The public values vi, v n interpolate to some random uniformly distributed 
value in [l..q — l].The shares tJi, ... t v n interpolate the value /* which is random 
and uniformly distributed in [l..q - 1], In addition, the share v», for 1 < i < t, 
satisfies that v» = kiOi -f 6». The share for 1 < i < t was generated in this 
manner (S J M -Computation Step 5). 

4. Same argument as above noting that the shares interpolate the secret a, and that they 
were properly generated in SZ-M-Computation Step 6 

This completes the proof of Lemma 11. 

9 Malicious Adversary, n > 3t + 1 

We have also devised a DSS distributed signature generation protocol which is secure 
in the presence of a Malicious Adversary when n > 3t + 1 where t is the number of 
faults. In other words, it is secure against an adversary who can corrupt at most a third 
of the players and can make them deviate arbitrarily from their prescribed instructions. 
For lack of space we present only an outline of the protocol. The details will appear in 
the complete version of the paper. 

However, this algorithm is provably secure only under the following assumption: 
let p be a prime of the form p= kq+l where q is another large prime and g an element 
of order q in Z* . Let G be the subgroup generated by g. 

Conjecture 1 Choose u, t; at random, uniformly and independently in Z q . The following 
probability distributions on GxG, (g u mod p f g v mod p) and (g u mod p, g u mod 
p) are computationally indistinguishable. 

In other words, we assume that for random ti f the value g u reveals no computational 
information on the value g u ~ l . 

Outline. This protocol differs from the DSS-Thresh-Sig-2 by more extensive use 
of Feldman-type verifiability instead of using unconditioanlly secure VSS and error- 
correcting codes. This shift allows for achieving robustness in the presence of larger 
number of malicious faults (a third instead of one fourth). The random value k is 
distributively generated using Feldman's VSS. Notice that this expose the value g k 
which is extra information that the adversary would not receive from a regular DSS 
signature. However if Conjecture 1 holds we can claim that this knowledge would not 
help an adversary in forging signatures (indeed if it did, such an adversary could be used 



to distinguish between "reciprocals in the exponent" - where Jb replaces the value u in 
the conjecture.) A difficulty arises when in the protocol we need to reveal the product 
of two secrets (i.e., when using the Multiplication Protocol of section 6). In this case, 
the public information of Feidman's VSS is not enough to detect faulty players who 
reveal incorrect multiplication shares. In order to overcome this difficulty we require the 
players to perform Chaum's zero-knowledge proof of equality of discrete-logs [Cha90] 
(originally designed in the context of undeniable signatures). The basic idea is that if two 
secrets a and 6 are shared with Feldman's VSS, then each player has a share = 
of c = ab. However if we want to reconstruct c, we cannot sieve out bad shares as in 
Feldman, since we do not have the values g c% but only g ai and g bi . So we require each 
player to publish g a * hi and prove using Chaum's proof that DL g (g a% ) = DL g > % (g a * b% ). 
As before, randomization of polynomials is added when needed in order to protect 
partial information. 

10 Efficiency Considerations 

As in the case of the generation of regular DSS signatures the most expensive part of our 
protocols is the computation of r, as it includes all the modular exponentiations and the 
interactive exchange of messages between players. However (as in the case of regular 
DSS signatures) such computation can be performed off-line. In this case the signature 
generation becomes extremely efficient and non-interactive. 
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DSS Signature Generation - Protocol DSS-Thresh-Sig-2 

1. Generate & 

The trustees generate a secret value k t uniformly distributed in Z q , by running 
Joint-Uncond-Secure-RSS with a polynomial of degree t Notice that this generates 

(*i,...,*n)~*mod ? . 

Secret information of T% : a share fe,- of k 

2. Generate random polynomials with constant term 0 

Execute two instances of Joint-ZeroSS with polynomials of degree 2t as underlying 
scheme. Denote the shares created in these protocols as {&»}»€{i.. n > and {ci} l€ ^. n y. 

Secret information of T» : shares 6< , a 

Public information: g° = 1 ( g b% , g° = 1, g c \ 1 < i < n 

3. Generate r = g k 1 mod p mod q 

(a) Generate a random value a, uniformly distributed in Z\ , with a polynomial of degree 
t. using Joint-Feldman-RSS. 



Secret information of Ti : a share a< of a 
Public information: g a t g ai t 1 < i < n 
(b) Trustee Ti broadcasts v< = ki<n + 6* mod q. If T» doesn't broadcast a value set v< to 
null 



Public information: vi, .... v n where for at least n - 1 values 
j it holds that vj = fc,-a,- + bj mod ? 
(c) Trustee recomputes locally 

- fi == EC-lnterpolate(vi , . . . , v„) mod g [= ka mod g] 

- mod g [= Jb~ l a~ l mod q] 

- r = (<; a ) M 1 mod p mod q (= 1 mod p mod g] 

Note: Even though the above computations are local, as they are done on public 

information we can assu me that: 

Public information: r 

4. Generate s = k(m + zr) mod g 

Trustee T% broadcasts Si = ^(m + i<r) + c< mod g. 

Public information: n , . . . , s n where for at least n - 1 values 
j it holds that Sj = fcj(m + z,r) + cj mod $ 

Set s = EC-!nterpolate(n a n ). 

5. Output the pair (r, s) as the signature for m 

Fig. 2. DSS - Distributed signature generation - Malicious Adversary, n > 4t + 1 



Group-oriented (f, n) threshold digital signature 
scheme and digital multisignature 



L. Harn 



indexing terms: Threshold cryptosystem, Digital signature, Multisignature, Signature verification 



Abstract: The paper presents group-oriented (t, n) 
threshold digital signature schemes based on the 
difficulty of solving the discrete logarithm 
problem. By employing these schemes, any t out 
of n users in a group can represent this group to 
sign the group signature. The size of the group sig- 
nature and the- verification time of the group sig- 
nature are equivalent to that of an individual 
digital signature. In other words, the (f, n) thresh- 
old signature scheme has the following five 
properties: (i) any group signature is mutually 
generated by at least t group members; (it) the size 
of the group signature is equivalent to the size of 
an individual signature; (iii) the signature verifica- 
tion process is simplified because there is only one 
group public key required; (iv) the group signa- 
ture can be verified by any outsider; and (v) the 
group holds the responsibility to the signed 
message. In addition to the above properties, two 
of the schemes proposed do not require the assist- 
ance of a mutually trusted party. Each member 
selects its own secret key and the group public key 
is determined by all group members. Eacl\ group 
member signs a message separately and sends the 
individual signature to a designated clerk. The 
clerk validates each individual signature and then 
combines all individual signatures into a group 
signature. The (n, n) threshold signature scheme 
l can be easily extended to become a digital multi- 
signature scheme. 



1 Introduction 

The threshold cryptosystem was first introduced by 
Desmedt [4] in 1987. In this system, each gro^up, instead 
of each group member, publishes a single group public 
key. An outsider can use this single public key to send an 
encrypt message to this group. The received ciphertext 
can only be deciphered properly when the number of par- 
ticipating group members is larger than or equal to the 
threshold value. All up-to-date solutions for the group- 
oriented threshold cryptosystem can be classified into the 
following two categories: (i) solutions with the assistance 
of a mutually trusted party to decide the group secret key 
and generate individual secrets for all group members 
[5, 8, 10]; and (ii) solutions without the assistance of a 
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mutually trusted party [13, 16]. As pointed out by Inge- 
marsson and Simmons [11], in most applications a 
trusted party in a group does not exist. This situation 
becomes more common in some commercial and/or 
international applications. Thus, the solutions without 
the assistance of a mutually trusted party become very 
attractive. 

The threshold signature scheme is very similar to the 
threshold cryptosystem. -In a threshold signature scheme, 
the group signature can only be generated when the 
number of participating group members is larger than or 
equal to the threshold value. Any outsider can use a 
group public key to verify this group signature. Boyd [2] 
proposed the first (n, n) group-oriented signature based 
on the RSA assumption [18] in 1986. In his scheme, if 
the number of group members is larger than two, most of 
the members can only sign the message blindly. Chaum 
and van Heyst [3] proposed another (n, n) group- 
oriented signature scheme in Eurocrypt '91. In their 
scheme, the number of listed group public key is not 
limited to one. In 1991, Desmedt and Frankel [6] pro- 
posed the first (r, n) threshold digital signature scheme 
based on the RSA assumption. In their scheme, a trusted 
key authentication center (KAC) is required for determin- 
ing the group secret key and all members* secret keys. A 
group-oriented (n, n) undeniable signature scheme [9] 
was presented in Auscrypt '92. Unlike the normal signa- 
ture that can be verified by any outsider, the undeniable 
signature can only be verified with the cooperation of all 
signers; 

The threshold signature scheme can be applied to 
solve the problem of issuing checks for a corporation. 
For security reasons, it may be a company's policy that 
checks be signed by at least t individuals rather than one 
person. More formally, a (t, n) threshold digital signature 
scheme is designed to break the group secret key K into n 
different 'shadows', K l9 K 2 K n9 so that: 

(i) with knowledge of any t 'shadow' (t < n\ the group 
signature can be easily produced; 

(ii) with knowledge of any t - 1 or fewer 'shadows', it 
is impossible to forge a group signature; 

(iii) it is impossible to derive the group secret key from 
the released group signature and ail partial signatures; 
and 

(iv) it is impossible to derive any secret 'shadow' from 
the released group signature and all partial signatures. 

This definition is very similar to the definition of a (t, n) 
threshold secret sharing, scheme. The major difference is 
that, in the secret sharing scheme, since the secret 
'shadows' are exchanged among users and the group 
secret kpy is derived after each secret reconstruction 
process, the group secret key can only be used once if no 
other encryption scheme has been used; however, in the 
signature scheme, since the secret 'shadows' and . the 
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group secret key are nevIT revealed in the cleartext form, 
the group secret key can be used repeatedly. In other 
words, the (f, n) threshold signature scheme integrates the 
secret sharing scheme and the digital signature scheme 
together to provide an efficient solution for group- 
oriented application. 

The group signature is a kind of digital muitisignature 
which is generated by multiple signers with knowledge of 
multiple secrets. Generally speaking, one of the major 
differences between a hand-written and a digital multi- 
signature is the size of the muitisignature. In a hand- 
written muitisignature the size is linear in the number of 
signers but, in a digital muitisignature, the size can be 
identical to a single signature. Digital muitisignature is 
just a string of binary bits that can only be generated 
with the knowledge of a set of secret keys. An outsider 
can easily verify the authenticity of a given message based 
on the muitisignature and the signers* public keys. In 
other words, digital muitisignature is just a one-way trap- 
door function. With the knowledge of a set of the trap- 
door secrets, it is possible to generate a one-way output 
as the digital muitisignature. Thus, it is not necessary for 
the size of the digital muitisignature to be linear in the 
number of signers. 



2 Modified EIGamal signature scheme 

This scheme was developed from ElGamai's original sig- 
nature scheme [7] in 1985, the modified EIGamal scheme 
being proposed by Agnew et al [1] in 1990. 

The scheme starts with a large prime, p, and a primit- 
ive element, a, of GF(p), which are publicly known. In 
order to provide adequate security, Pohlig and Heilman 
[17] indicate that p should be selected such that p- 1 
contains at least one large prime factor. They recommend 
choosing p = 2p' + 1, where p' is also a large prime. A 
one-way function / also needs to be made public. 

In this scheme, each user selects a random exponent z 
from GF(p) as his private key. Suppose user A randomly 
selects a number, z A , from [1, p — 1]. Then A computes 

y A = or* mod p 

as A's public key. Assume that A wants to sign a message 
m. User A then randomly selects a number k from 
[1, p — 1] and computes 

r — a* mod p 

User A now solves the congruence 

z A rri = kr + s mod p — 1 

or 

s = z A rri - kr mod p - 1 (1) 

for integer s, where 0 < s ^ p - 2 and rri = f(m). The 
one-way function / is used to increase the redundancy of 
m to avoid ElGamaTs attack [7]. The signature for 
message m is then the ordered pair {r, s}. 

Upon receiving the set of {m, r, s}, any user can verify 
the signature of message m as 

y? = >Vmodp, - (2) 

where rri = f(m). There are two reasons for building a 
scheme based on this modified scheme. 
* (i) In order to simplify the signature verification, it is 
desirable to use a universal modulus p for all members to 
sign their individual signatures. In the RSA scheme, 



however, if the modulus n is universal and each member 
needs to know the factoring of n in order tQ decide his 
secret key, there will be no secret among all internar 
members. In this modified scheme, the modulus p con- 
tains no secret information at all. 

(ii) As described later, the multiple individual signa-* 
tures, {r jf sj, i = 1, 2, /i, which corresponds to the 
same message, produced by this scheme, can be com- 
bined into a muitisignature without any data expansion. 
In addition, the muitisignature can also be verified very 
efficiently. However, the original EIGamal scheme and 
the modified scheme proposed by Agnew et al cannot 
combined multiple individual signatures efficiently. 

2.1 Security discussion 

The security analysis of the modified scheme is very 
similar to the security analysis of that proposed by 
Agnew et al [1]. Here, some possible attacks are briefly 
examined. 

(i) An attacker might try to solve the secret key, z A , 
based on the linear eqn. 1. For a given message and a 
signature pair, eqn. 1 involves two unknown parameters, 
z A and k. For any increment number of the message and 
the corresponding signature pair, the unknown param- 
eter is also increased by one. Therefore, the number of 
unknown parameters is always larger than the number of 
available equations. This attack cannot work successfully. 

(ii) The attacker might try to forge a signature pair of 
a given message based on eqn. 2. He might try to ran- 
domly select an integer r' first and then compute the cor- 
responding s' based on eqn. 2. Obviously, this difficulty is 
equivalent to solving the discrete logarithm problem. On 
the other hand, he might try to randomly select an 
integer s' first and then compute the corresponding r\ 
This is an extremely difficult problem, and in all likeli- 
hood, is more difficult than the discrete logarithm 
problem itself [1]. 



3 (n.n) Threshold signature scheme without the 
assistance of a mutually trusted party and 
digital muitisignature scheme 

Assume that the group policy requires that a group sig- 
nature must be mutually signed by all group members. A 
group-oriented signature scheme consists of three phases: 
the public keys generating phase, the group signature 
generating phase, and the group signature verification 
phase. During the group and member public keys gener- 
ating phase, all members select their individual secret 
keys and work together to determine the group public 
key. In the group signature generating phase, each group 
member receives a copy of the message to be signed. A 
member than signs the message and sends it along with 
the signature to a designated clerk. The designated clerk 
is responsible for collecting and authenticating each indi- 
vidual signature signed by each member, and produces a 
combined group signature. There is no secret information 
associated with the designated clerk. 

3. 1 Public keys generating phase 

The scheme allows each member in a group to select his 

own secret key and all members to determine the grup 

public key together. Assume that there are n group 

members. 

A large prime p, a primitive element a, of GF(p), and a 
one-way function / need to be made public. 

Each member randomly selects an integer z { from 
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[1, p - 1] and computes awrresponding public key as 

y t = or' mod p 

The group public key y is then determined by all 
members as 

y = Y\yt mod p 

32 Group signature generating phase 
The scheme allows group members to sign a message 
simultaneously. This phase can be further divided into 
two parts. 

Part I : Generating and verifying individual signature. The 
procedure for generating an individual signature can be 
described as follows. 

(i) Each member u, randomly selects a number k t from 
[1. P — 1] an d computes 

r ( = o*< mod p 

(ii) The result {r,} is broadcasted to all members. Once 
r ( , i = 1, 2, ft, from all members are available through 
the broadcast channel, each member computes the value 
r as 



r = n r i m °d P 



(iii) Member u, uses his secret keys z t and /c ( , to sign 
the message m based on the modified signature scheme 
and solves the equation 

Si = z t m f — k t r mod p — 1 

for integer s /f where 0 ^ s t ^ p - 2 and m' =/(m), and 
transmits {m, sj to the clerk. Note here that the individ- 
ual signature, {r, , sj, is a partial signature of message m. 

Once the clerk receives the individual signature {r,, s,} 
from u it he needs to verify the validity of this signature. 
To do this the clerk uses u,'s public key y, to compute 

yf' = rjoc*' mod p 

where m' = /(m). If the equation holds true, the partial 
signature {r it s ( } of message m received from w, has been 
verified. 

Part 2: Generating the group signature. Once all partial 
group signatures are received and verified by the clerk, 
the group signature of message m can be generated as 
{r, s}, where s — s t + s 2 H + s m mod p — 1. 

33 Group signature verification phase 
After receiving the group signature {r, 5}, of the message 
m, an outsider needs to use the group public key y to 
verify the validity of the signature. The verification pro- 
cedure is given as 

= rV mod p 

where m' =/(m). If the equation holds true, the group 
signature {r, s} has been verified 

Theorem: If = rV mod p, the group signature {r, s} 
has been verified. 

Proof : With the knowledge of secret key r„ user u, is able 
to generate its partial signature {r,, sj for message m to 
satisfy 

' = rfc* mod p 



where m' = /(m). Multiplying the above equation for 
i = 1, 2, . . . , ft yields 



This relation is the same as 

(-1 / 
Since 

n 

r = ]~[ r, mod p 



S = 5i + S 2 + ' * " + s * m0C * P — 1 

and 

fi 

y = n^ mod P 

then 

y™' = rV mod p 

3.4 Security 

The security analysis of this signature scheme is very 
similar to the security analysis of the modified signature 
scheme just described. Here, some possible attacks are 
briefly examined. 

(i) Instead of satisfying yf' = rf'o 51 mod p as in the 
modified signature scheme, the partial signature in the 
group signature scheme needs to satisfy yf' = r^ct* mod p. 
Since r t and r are public values and contain no secrets, 
the attacker cannot reveal any secret from this equation. 

(ii) With the knowledge of all partial signatures and 
the group signature, the attacker needs to solve the equa- 
tion 

(zj + z 2 + • • • + rjm' 

+ +s 2 + '"+*J mcxi P - 1 

in order to determine the secret keys. It has the same 
difficulty as in the modified signature scheme. 

(iii) An attacker might try to impersonate user u, by 
randomly selecting a r\ and then obtaining 



=( n >iV. 



modp 



The attacker needs to find a value sj to satisfy the equa- 
tion as yj"' = rj r 'a* i mod p. This difficulty is equivalent to 
solving the discrete logarithm problem. On the other 
hand, an attacker might first try to randomly select a pair 
of (r\ $3, then broadcast a forged f i$ to satisfy 



■-( n oV. 



mod p 



Since yf' ^rfcf* mod p, this forged partial signature 
(rj, sty cannot satisfy the signature verification equation. 
It is therefore concluded that, although one of the partial 
signatures r, from each member is not authenticated by 
other members and the attacker can easily change this 
value, to place a successful attack is infeasible. On the 
other hand, if it is necessary, each member can still sign 
this partial signature and then make the signature of r ( 
and r, itself available on the broadcast channel * 

(iv) If the clerk is allowed to collect all r, from the 
members and to broadcast the productive result r for all 
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members to sign aclftingly, there will be a possible 
active attack associated with the clerk. This is because, 
instead of broadcasting r, the clerk broadcasts r* = r 1 
mod p for ail members to use to sign their signatures. 
With the knowledge of the signature pair (r, s) for 
the message m\ the clerk can successfully forge a signa- 
ture pair (K, st) for the message m", where 
m" = m't mod p — 1. Since r is a random integer, this 
attack can be applied to forge any message. Thus, it is 
recommended that all group members to compute their 
own r to avoid this attack. 

3.5 Other features 

(i) In this scheme, a signature signed only by partial 
members cannot be verified correctly by an outsider. In 
other words, a valid group signature must be mutually 
generated by all members. 

(ii) The group signature in this scheme consists of a 
pair of (r, s}. The n individual signatures produced by all 
members consist of n pairs of {r ( , sj. Thus, the scheme 
combines n individual signatures into a single signature. 

(iii) The group signature verification process requires 
two modular exponentiations. However, the varification 
process for n individual signatures requires 2n modular 
exponentiations. Thus, this scheme speeds up the verifica- 
tion process by a factor of ru 

(iv) The same scheme can be easily applied to solve the 
digital multisignature problem. Instead of combining n 
individual signatures in a group-oriented signature, the 
digital multisignature scheme should be able to combine 
any number of individual signatures into a multi- 
signature. Also, instead of using a fixed group public key 
to verify the signature in the group-oriented signature 
scheme, the verifier in the digital multisignature scheme 
should use all signer's public keys to verify the multi- 
signature. There are two properties that need to be 
achieved in the design of an optimal digital multi- 
signature scheme: (a) the size of the multisignature 
should be equivalent to the size of an individual's signa- 
ture; and (b) the verification process of multisignature 
should be almost equivalent to the verification process of 
an individual's signatures. References 13, 15 and 16 
provide for more information on this topic All existing 
digital multisignature schemes are based on the factoring 
problem. Since each user selects a different modulus n for 
their public key, there are two problems associated with 
this approach: (a) the signing order has certain 
restrictions (Le. the moduli associated with signers should 
be arranged in an ascending order); and (b) the multi- 
signature verification process requires all different moduli 
n (Le. the required operation is linear in the number of 
signers). Thus, they are not the optimal digital multi- 
signature schemes. The proposed multisignature scheme 
is the first scheme based on the discrete logarithm 
problem. Since all users use the same modulus p in this 
scheme, it allows users to sign the same message 
simultaneously. In addition, it can compress n partial sig- 
natures into a multisignature without any data expansion 
and it also simplifies the verification process significantly. 
Thus, the proposed scheme is optimal 

4 (f , n) Threshold digital signature scheme with 
the assistance of a mutually trusted party 

This scheme utilises the cryptographic techniques of 
Shamir's perfect secret sharing scheme 019] based on the 
Lagrange interpolating polynomial and the digital signa- 
ture algorithm proposed by,NIST [20]. The trusted key 
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authentication center (KAC) is responsible for selecting 
all parameters, the group secret key and all secret 
shadows for group members. The KAC selects: * " - 



(i) p, a large prime modulus, where 2 



• 511 



<p<2 



.512 



(ii) q f a prime divisor of p - 1, where 2 139 < q < 2 1 ' 60 

(iii) {a tt for 1-0, .... t-1}, and /(*) = a 0 + a}x 
+ *"+ a t-i*' mod g, each a { is a random integer 
with 0 < a { < q, 6 

(iv) a, where a = Ifrr » v« mo d p, h is a random integer 
with 1 h < p - 1 such that h {fi " i)f " mod p > 1. a is a 
generator with order q in GF(p). {p, q, a} are the public 
values, {a i9 i = 0, t - 1} are the secret values. 

It should be pointed out that according to Lemma 1 in 
Reference 20, if a is a generator with order q in GF(p), 
then of mod p = or' mod q mod p, for any nonnegative 
integer r. 

4. / Group secret key and secret shadows generation 
phase 

The group secret key is determined by KAC as/(0). The 
secret shadow for each group member is also determined 
by KAC as 

/(xj mod q for f = 1, 2, .... n 

where x { is the public value associated with each group 
member. The KAC also needs to compute one group 
public key y as 

y = a /(0) mod p 

for group signature verification purpose and public keys 
y,as 

y t = <z /iXi) mod p, for i = 1, 2, n 
for all group members. 

42 (f, n) Threshold signature generation phase 
This scheme allows any t group members to represent the 
group to sign a message m. Without losing generality, 
assume that the t group members involved can be 
denoted as a lf u 2 , u f . This phase can be further 
divided into two parts. * 

Port I: Individual signature generation and verification. 
Members can sign the message simultaneously. Here, just 
the procedures associated with member u t are described. 

Member u { randomly selects an integer, k t e [1, q - 1], 
and computes a public value, r, , as 

r, = or* 1 mod p 

and makes r, publicly available through a broadcast 
channel. Once all r, are available, each member computes 
the product, r, as 
i 

r = Yi r i m <>d p 

Member u { uses his secret keys,/(xj) and k t9 to sign the 
message m based on the modified signature scheme. 
Member u { then solves the equation 

St =/(*() x m' x ( f] ) -fc,xr mod q 

for integer s t9 where 0 ^ s t < q - 1 and rri =/(m), and 
transmits {m, sj to a designated cler|c. Note here that the 
individual signature, {r„ s,}, is a partial signature of 
message m. 

Once the clerk receives the individual signature {r ( , 5,} 
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from u,, he needs to verify the validity of this partial sig- 
nature. The clerk uses u,'s public keys, x ( and y t , and 
partial signature {r f , s,} to compute 

yf' = rfflE** mod p 

where m' =/(m). If the equation holds true, the partial 
signature {r|, s ( } of message m received from u, is valid. 

Part 2: (r, n) Signature generation. Once t partial signa- 
tures are received and verified by the clerk, the group 
signature of message m can be generated as {r, s}, where 
s = St + s 2 + + $ t m °d 4* 

4.3 (f , n f Threshold signature verification phase 
After receiving the group signature {r, s} of the message 
m, an outsider needs to use the group public key y to 
verify the validity of the signature. The verification pro- 
cedure is given as 

- rV mod p 

where m' = /(m). If the equation holds true, the group 
signature {r, s} is valid. 

Theorem: If y"' = rV mod p, the group signature {r, s} 
has been verified. 

Proo/V With the knowledge of secret shadow/(Xf) f user u ( 
is able to generate its partial signature {r,, s t } for message 
m to satisfy 



n 



y?' 



= rfa* 



Multiplying the above equation for i = 1, 2, . . . , t gives 



_ / 



(3) 



With the knowledge of t pairs of the unique 

(t — l)th degree polynomial, /(x), can be determined as 

f(x)=if(xd ft f^modg 

The left-hand side of eqn. 3 can be rewritten as 
a *lm n ^-modq mo< i « 

= o*'/(°> mod p 
= y' mod p 

Since the group signature {r, 5} can be expressed as 
1 

r = fjrj mod p and s = + s 2 -\ 1-5, mod q 

The right-hand side of eqn. 3 can be rewritten as 

= rV mod p 
4.4 Security analysis 

Here, several possible attacks are proposed, but none can 
successfully break the scheme. 

(i) Derivation of the group secret key f{0\ and the 
secret shadows /(xj for i » 1, 2, n, from the group 
public key, y = o /(0) mod p,« and the public keys for 
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members, y t = o /(xt) mod p, fori = 1, 2, . . . , n, are equiva- 
lent to solving the discrete logarithm problems. 

(ii) Derivation of the secret shadow f(x& from one or 
multiple partial signature pairs (r lt sj based on the equa- 
tion 

s t = f(xd x m' x ( Y\ — -k t x r mod q 
\j~i.j*t x i~ x jJ 

has the same difficulty as the modified ElGamal signature 
scheme. 

(iii) Derivation of the group secret key,/(0)» from one 
or multiple group signature pairs (r, s), based on the 
equation 

s = f(0) x rri — k x r mod q 

has the same difficulty as the modified ElGamal signature 
scheme. 

(iv) An attacker might try to impersonate member u ( 
by randomly selecting an integer kf t e [1, q — 1] and 
broadcasting rj = a* 1 mod p. Since the productive value, 



mod p 



is determined by all t members, without knowing the 
secret shadow /(Xf), the attacker cannot generate a valid 
partial signature pair (rj, to satisfy the verification 
equation as 



tr' 



n ~ 



= rj r 'a* mod p 



5 (t,n) Threshold signature scheme without the 
assistance of a mutually trusted party 

This scheme is the combination of the two previous 
schemes. The group secret and public keys are deter- 
mined by all group members according to the (n, n) signa- 
ture scheme above. Since there is no mutually trusted 
party, each member acts as one KAC to generate and 
distribute his secret key to other members according to 
the (r, n) scheme. 

There are some public parameters that should be 
agreed to by all group members: 

(i) p, a large prime modulus, where 2 5U < p < 2 512 , 

(ii) q, a prime divisor of p - 1, where 2 159 < q < 2 160 , 

(iii) a, where a = A tp " lWf mod p, h is a random integer 
with 1 < h ^ p - 1 such that mod p > 1. 

5.7 Public keys generating phase 

Each member randomly selects integers, z, and x< from 

[1, p — 1] and computes a corresponding public key as 

y, = a" mod p 

{x ( , y,} are the member's public keys and {z,} is the 
member's secret key. Then, the group public key y is 
determined by ail members as 
■ 

y= Yly ( modp 
(-1 

Since there is no mutually trusted party, each member 
acts as one KAC to use the (t, n — 1) secret sharing 
scheme as we described in the previous section to distrib- 
ute his secret key to the other n — 1 members. Assuming 
u, with the secret key z„ u t randomly selects a (t - l)th 
degree polynomial, fix\ with ffp) = z, mod q and com- 
putes the secret shadow,/^/) mod q 9 and the public key, 
y t jSS of** J} mod p, for each member Uj. 
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52 (f , n ) Threshold signature generation phase 
Without losing generality, assume that the group 
members involved can be denoted as u u u 2 , u, . This 
phase can be further divided into two parts. 

Part 1: Individual signature generation and verification. 
Members can sign the message simultaneously. Hace^ just 
the procedures associated with member u f are described.^ 

Member u { randomly selects an integer, k t e [1, q — 1],^ 
and computes a public value r, as 

r t = a*' mod p 

and makes r, publicly available through a broadcast . 
channel. Once all r t are available, each member computes 
the productive value r as 

r = ( n r i) m ° d p 

Member u, uses his secret keys, z ( and k it and secret 
shadows, //xj, for ; = t + 1, t + 2, n, to sign the 
message m based On the modified signature scheme and 
solves the equation 

*•{*,+ i m*( ri f^-)\ 

I 7 = 1+1 \*=l.**f *l ~~ x k/ J 

x m' — k t x r mod q 

for integer s it where 0 ^ s ( ^ q — 1 and m' = /(m), and 
transmits {m, s,} to a designated clerk. Note here that the 
individual signature, {r it s ( }, is a partial signature of 
message m. 

Once the clerk receives the individual signature {r,, sj 
from u ( , he needs to verify the validity of this partial sig- 
nature. The clerk uses u,'s public keys, x t , y, , and y Jtif for 
j = t + 1, t + 2, n, and partial signature {r it sj to 
compute 

|^ fl H A. | = a* 1 mod p 

where m' = /(m). If the equation holds true, the partial 
signature {r,, sj of message m received from u, has been 
verified. 

Part 2: (r, n) Signature generation. Once t partial signa- 
tures are received and verified by the clerk, the group 
signature of message m can be generated as {r, s} 9 where 
s = Sj + s 2 H + s t mod 

5.3 (f, n) Threshold signature verification phase 
The verification procedure is given as 

y' = Ko* mod p 

where m' = /(m). If the equation holds, the group signa- 
ture {r, 5} is valid. 

Theorem: If y"' = rV mod p, the group signature {r, 5} 
has been verified. 

Proof: The proof is similar to the proof in the previous 
section. 

One additional problem needs to be solved because 
these group members are not mutually trusted. The 
problem is how to convince the rest of the members that 
the secret shadows received from the dealer (one of the 
group users) are derived consistently from the same secret 
without revealing the secret to the others. The applica- 
tion of this problem is very important For example, a 



dishonest member can cheat some members by giving 
them fake shadows. The communication errors (i.e. noise) ' 
can also result in fake shadows. 

It is now shown that, with this scheme, it is very easy 
to prevent the dealer from cheating the others. k 

Theorem: Any received fake shadow can be easily 
detected by any member. 

Proof: First, the situation of fake shadows caused by 
communication noise is examined. Member Uj receives a 
fake shadow, f\(x } ), from the member u,, and the corres- 
ponding public key is y itJ = a /dxj) mod p. Obviously, this 
fake shadow can be easily detected by u } . Now consider 
what will happen if a dishonest member u, picks up a 
fake shadow, f\{x } \ and publishes the corresponding 
public key as y UJ = af Axs) mod p. Since it is known that if 
the member is honest and picks up all the real shadows, 
then with the knowledge of any t shadows from the rest 
of n - 1 shadows, the same polynomial ffa) can be recon- 
structed. There are C?" 1 ways to reconstruct fix). In 
other words, all these reconstructed polynomials will pass 
through /<0) = z ( . However, if there are fake shadows, 
some reconstructed polynomials will be different from 
ffa) and will not pass through f$) = z t and, without 
knowing these shadows, this condition can still be exam- 
ined by just knowing the public keys of these shadows. 
Using the theorem in the previous section, for any t 
public keys of secret shadows, y^ j k , for k = 1,2,..., r, we 
have 

n ~ x * 

-y,.j, ''"'modp 

Since any t out of n combination of the public values 
satisfies the above relation, members can verify their 
secret shadows individually. 

The security analysis of this scheme is almost the same 
as the previous one. However, this scheme does not need 
the assistance of a mutually trusted party. 

6 Conclusion 

Three threshold digital signature schemes based on the 
difficulty of solving the discrete logarithm problem are 
proposed. The group signature can be generated when 
the number of participating members is larger than or 
equal to the threshold value. The size of the group signa- 
ture and the verification time of the signature are the 
same as that of an individual signature. The first scheme 
is a special case which requires all group members to sign 
the message together. This scheme can be easily applied 
to generate digital multisignature. The second scheme 
provides a general solution and it requires the assistance 
of a mutually trusted party; however, the third scheme 
does not require the mutually trusted party. 
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